netfilter/iptables - Patch-o-Matic Listing - external

patch-o-matic external repository

ACCOUNT

This patch adds the ACCOUNT target
The ACCOUNT target is a high performance accounting system for local networks.
It takes two parameters: --addr network/netmask and --tname NAME.
--addr is the subnet which is accounted for
--tname is the table name where the information is stored
The data can be queried later using the libipt_ACCOUNT userspace library
or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.
A special subnet is "0.0.0.0/0": All data is stored in the src_bytes
and src_packets structure of slot "0". This is useful if you want
to account the overall traffic to/from your internet provider.
For more information go to http://www.intra2net.com/de/produkte/opensource/ipt_account/

TARPIT - iptables TARPIT target

Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea
<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware
or IPs. Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.
To tarpit connections to TCP port 80 destined for the current machine:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.

geoip - iptables geoip match

This patch makes possible to match a packet
by its source or destination country.
GeoIP options:
[!] --src-cc, --source-country country[,country,country,...]
Match packet coming from (one of)
the specified country(ies)
[!] --dst-cc, --destination-country country[,country,country,...]
Match packet going to (one of)
the specified country(ies)
NOTE: The country is inputed by its ISO3166 code.
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.

ipv4options - iptables ipv4options match

This option adds an iptables 'ipv4options' match, which allows you to
match on IPv4 header options like source routing, record route, timestamp and
router-alert.
Suppported options are:
--ssrr
To match packets with the flag strict source routing.
--lsrr
To match packets with the flag loose source routing.
--no-srr
To match packets with no flag for source routing.
[!] --rr
To match packets with the RR flag.
[!] --ts
To match packets with the TS flag.
[!] --ra
To match packets with the router-alert option.
[!] --any-opt
To match a packet with at least one IP option, or no IP option
at all if ! is chosen.
Example:
$ iptables -A input -m ipv4options --rr -j DROP
will drop packets with the record-route flag.
$ iptables -A input -m ipv4options --ts -j DROP
will drop packets with the timestamp flag.

time - iptables ``time'' match

This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time/date
(arrival time/date at the machine which the netfilter is running on) or
departure time/date (for locally generated packets).
Supported options are:
[ --timestart value ]
Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
[ --timestop value ]
Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
[ --days listofdays ]
Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
[ --datestart date ]
Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 1970)
[ --datestop date ]
Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
h,m,s start from 0 ; default to 2037)
Example:
-A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
to Friday.
-A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
will match the packets (locally generated) that have a departure timestamp
in the range 8:00->18:00 on Monday only, until 2010
NOTE: the time match does not track changes in daylight savings time